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(S//Sl//REL) What Your
Mother Never Told
You About SIGDEV

Ana'ys's—
SSGZl Net Pursuit
Network Analysis Center
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(U//FOUO) What have I learned in
my first two years in

SmIQlEDYI'mpottant to understand the data that

you are searching against

=' (S//S|//REL) Important to understand the hidden
treasures and nuances in various SIGDEV tools

=' (U//FOUO) Nothing is 100%: there are always
exceptions to the tools and the rules

=' (S//S|//REL) Took a network view of VPNs
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(TS//S|//REL)What Makes

SIGDEV Analysis Challenging?

:' (U//FOUO) Requires knowledge of.....
= (S//S|//REL) Access and collection
=' (S//S|//REL) Network protocols
‘ (S//S|//REL) Routing
=’ (TS//S|//REL) Encryption
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(U//FOUO) Challenges etc....

(TS//Sl//REL) Technical jargon and abbreviations
=' IPSEC
=' IKE
=’ MPLS
=’ PSK
=’ PPTP
=L2TP
=’ GRE
=' Cisco commands

 

,a'

(TS//S|//REL)Cha||enges etc....

(S//S|//REL) Tools
=' How to use them
=' Knowing that they exist

=' Multiple query languages
=' SQL for TOYGRIPPE

=' Oracle Text Query in DISCOROUTE
=' Quantity
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WSW/REL) Building Network
BLACKPEEikﬁCKPE’RLr-I OW I ed 9 e

TOYGRIPPEOYGR'PPE

XKEYSCOKEEYSCORE

 

 

 

Maximize the “of the tools for
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(SI/SlllRE L)

DISCOROUTE

NAC’s router configuration database

 

—
W

 (U//FOUO) DISCOROUTE

=' (C) NAC project to acquire, parse, database
and display configuration files from network
devices

=' (C) Allows analysts to mine device configs for
SIGDEV discovery

lllll
l

 

 

    
  

Router co  rich source

formation
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network 
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(S//S|//REL) 
 IIQQMmportant because they all

belong to a device and they all have a purpose in
the network

=’ (S//Sl//REL) Search for
=’ Endpoint lPs
=' Loopback lPs
=' Opposite end of a point-to-point connection
=’ lPs found in pings and telnets

=’ (S//Sl//REL) Make note of the source and
destination lPs of the config

 

,J
..-"

(U//FOUO) DISCOROUTE
U//FOUO) Cou§r§a FC h ES

U//FOUO) IP Search

U//FOUO) Text Query

TS//S|//REL) Manifest Tag Selection
=’ K — Crypto Keys

=’ H — TAO Pop

=’ M — Multihop

=' (S//S|//REL) VPN report

:1

=1

:1

=1

AAAA
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(S//S|//REL) DISCOROUTE: Country

Search

=' (S//S|//REL) IPGeo lookup on every IP address
that is parsed

=' (S//S|//REL) Configs with only private IPs will
not show up in the results of a country search

 

—
(S//Sl//REL) DISCOROUTE: Searching for IP

=' (S//SI//REL) Textquad/negcgagg

= searches through the payload

= If you only search using this field, then you will miss
= configs that have your lPs of interest as the source and
destination address

= configs where your IP falls within the range of the interface mask

=' (S//Sl//REL) IP address field search

= searches through the parsed file

= If you only search using this field, then you will miss configs with
your lPs of interest in pings, telnets, arp commands

 

—
WagiDISCOROUTE Search 1Feb

to 1 3 Apr:
=' (S//Sl//REL) — in the payload

=' 3 results

=' (S//Sl//REL) IP Address Search: searching for the IP in the
parsed file

=' Exact IP search

=' De-duped by most recent

=' 28 results (27 had — as the source IP)
=' (S//Sl//REL) Somalia Country search: 66 results

(12 of those had a source IP of—)

=' (S//Sl//REL) Difference: IP was the source IP for configs more
times than it occurred in the payload data
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/:;HLJJ’ I
(S//S|//REL) Why fewer configs for

— in the country

search?

=' (S//S|//REL) 12 as opposed to 27
=' (S//S|//REL) Geo location fo—

was Hong Kong for a period of time

=' (S//S|//REL) Geo is assigned to router configs
at the time of ingest and not changed if the IP
location is corrected

 

(S//S|//REL) Data Found in a Text Query:
Inner Network IPs in a Huawei Config

<LN$>dis firew se *
04:19:05 2011/06/18
Current total sessions : 19

udp VPN: public -> public—

Inner IPs

Press CTRL+K to abort

Connected to_ 

g
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(S//S|//REL) DISCO R0 UTE
=' (TS//S|//REL|)\|/-'  the router

=' (S//S|//REL) M - multihop router. The admin telnetted
into a router and then telnetted again to another
device. Potential goldmine of information about your
network, but be careful when looking through them to
make sure you are associating an IP with the correct
device.

=' (TS//S|//REL) K — crypto keys
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(S//Sl//REL) VPNs In Router

Conﬁgs

‘ (TS//Sl//REL) DISCOROUTE sets manifest tags to
‘K’ for configs with crypto information

= (S//Sl//REL) Separate parsers developed for each
vendor to pull out the endpoints and the pre-
shared keys

=' Cisco
=' Huawei
='Juniper

 

WUVPN Information in a Cisco

(S//S|//REL) Endpoint (E0 Pﬂclligand Description Fields
crypto isakmp key VpnsAreCooI address—

crypto map VPNS-ROCK 10 ipsec-isakmp
set peer—

interface Tunnell
description Tunnel TO theStars
bandwidth 512
ip address—
ip tcp adjust-mss 1350
load-interval 3O keepalive 5 2

tunnel source—

tunnel destination —
crypto map VPNS-ROCK
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(S//S|//REL)VPN Information In a

(S//S|//REL) NetstriGngEsar  Community &

omain ames

Username deb privilege 5 password 7
082C495AOC1617

snmp-server community dancer RW 70

snmp-server community tangosnmp RW 60

ip domain name lifesabeach
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 sﬂsv/RELNPN Information in a
Z 2:: 22:3??inZilii‘iZSE‘TEZHTJ awe i C o nf i g

exchange-mode aggressive pre-shared-key GoHokies
ike-proposal 60

undo version 2

local-id-type name

remote-name svn

remote-address—

remote-address authentication-address—
nat traversal

# ipsec proposal GoHokies

# ipsec policy helloworld 6O isakmp

security acl 3060

ike-peer proposal GoHokies

# interface Virtual-Templatel  More ----.[42D .[42D
ip address—

remote address pool 1

# interface GigabitEthernetO/O/O

ip address—

# interface GigabitEthernetO/O/l

description GigabitEthernetO/O/l Interface

ip address—

ipsec policy helloworld

 

—


(S//Sl//REL) VPN Information in a Juniper
Conﬁg

set ike gateway "BadguyVPN" address— Main outgoing-interface "untrust" preshare
"xGe7YOYfo3DNGsp4GCq+fgCdondsCBQtio/3YvabR7szDerVD4=" proposal "pre-g2-3des-sha" "pre-g2-
3des-md5"

set ike gateway "BadguyVPN" cert peer-ca all

set ike gateway "BadguyVPN Backup" address— Main outgoing-interface "untrust" preshare
"YWZprUvNGQvasiXdev3pxRDnLEAx09877SfJFLng9uthSyYPP|=" proposal "pre-g2-3des-sha" "pre-g2-
3des-md5"

set ike gateway "To Mouse" address— Main outgoing-interface "untrust" preshare
"fn3VGSElNI+amHsDeyChcquVHnustj4w==" proposal "pre-g2-3des-sha"

set ike respond-bad-spi 1

set vpn "BadguyVPN" gateway "BadguyVPN" no-replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"
set vpn "BadguyVPN" monitor optimized rekey

set vpn "BadguyVPN" id 5 bind interface tunnel.3

set vpn "backup BadguyVPN" gateway "BadguyVPN Backup" no-replay tunnel idletime 0 proposal "nopfs-esp-
3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-sha" "nopfs-esp-3des-md5"

set vpn "backup BadguyVPN" monitor optimized rekey

set vpn "backup BadguyVPN" id 4 bind interface tunnel.l

set vpn "From Rat" gateway "To Mouse" no-replay tunnel idletime 0 proposal "nopfs-esp-des-md5"
set vpn "From Rat" monitor optimized rekey

set vpn "From Rat" id 6 bind interface tunnel.2
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(S//S|//REL) VPN Report Search

=' (S//SI//REL) Some of FhleGiladgthat you can search
in...

=' Country

=' IP Address

=' SIGAD/Case Notation

=' Descriptions: crypto map and interface
=' Netstrings: Username, Domain Name
=' Pre-shared keys

=' Device Hostname

=TAO Project Name

 

    

(‘Jersion 2.1?) I

Query Reports * Network Mgmt Query Wiki Feedback

VPNReportForm g E E a I I I E a 

Query  Results I

Date I I   a  IP.I\ddresso

IP Address:

Start Date: 2012-03-14 00:00:00:  U  h I  I (MM)

End Date: 2012-04-13 23:59:59 S

 

 

D Tunnel Source D VPN Source

' =' I D Tunnel Dest D VPN Remote
G) D01 0 Load Date 0 Entire Database  h 

D Interface

Hostname:

Pre-Shared Keys:
SIGAD:

Snmp Community:
Case:

Interface Descr:
Country:

Crypto Descr:

TAO Project Name 0: Username:

Session ID: Domain Name:

 

Generate Report I IGenerate Report in New Window I ICIear Panel
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/S|//REL) VPN Report

£3 Discolloute

 

Query Reports“ NetworkMgthuery Wiki Feedback

 

VPN Report Form

Query Results

 

Session ID:1332289408998

   
 

 

   
  
  
  
 

 

  

Hostname Vendor Sigad Case Notation Collection Source Country TAO Project TAO Pop
IBL_Bagndad_Router cisco USJ-?59A EQBDJBBBBBMDBBB XKeyscore LB No
Interfaces
Interface ID IP Address Network Mask Description
LeepbackB 255255255255 UDlCE trafﬁc
FestEthernetB/U 255255255240 Connected To ASA/Firewall
FestEthernetB/l 25525525524B Connected To 2MB DSL
SerialD/l/D 255255255240 Connected To DVB
Tunnels
ID Source Dest Description
Tunnell Tunnel TO Beirut
Tunnell Tunnel TO Beirut
Tunnell Tunnel TO Beirut
Tunnell Tunnel TO Beirut
VPN Peers
ID Router IF' Remote IP VPN Type PSKs Description
SerialB/l/B ipsec IblBaghdad
Tunnell ipsec IblvoiceVpn
SerialB/l/B ipsec IblBaghdad
Tunnell ipsec IblvoiceVpn
SerialB/l/B ipsec IblBaghdad
Tunnell ipsec IblvoiceVpn
SerialB/l/B ipsec IblBaghdad
Tunnell ipsec IblvoiceVpn
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(S//S|//REL) VP N Re [30 rt
hliugltém USe the VPN report as a start but not as the

final answer for VPNs from a country or a SIGAD

=' (C) Query in different ways to make sure you get as much
of the data as possible

=' (TS//S|//REL) Depending on your scenario you may want to

start with a country search, an IP range or a descriptive
term

 

 

VPN Peers
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(S//SI//REL) Description &Net Strings

Searches

= (S//Sl//REL) Suppose you do a general VPN report

query
=' Search by country

=' Search by SIGAD
= (S//Sl//REL) Find a VPN of interest

= (S//Sl//REL) Analyze the NetStrings and the
description fields
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(S//SI//REL) NetStrings
Iﬁ§followcn VPN report using a

netstring specific to your network
=' Snmp community string: pegasus
=' Domain name: badguy.com

=' Username

=' (S//S|//REL) Search ROYALNET

=’ Analytics to find other netstrings related to your
target

=’ Analytics to find links likely to carry your
target’s communications
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(U//FOUO)
BLAC KPEARL

(S//S|//REL) NAC tool enabling automated DNI link and
network characterization against survey collection
across the SIGINT system
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(S//S|//REL) B LAC KP EARL
S(§/QJLE)hC§%raI Query

=' (S//S|//REL) Customized reports
=‘ VPN report
=* DNI Access Essentials
= MPLS report
= Five Tuple Report
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(gm/REL) BLACKPEARL IP
swarms

=' Interface IPs

=' Loopback IPs

=' Source or destination IPs of the router config
file

=' Inner network IPs

=' Analyze other IPs on the link

 

g
..-"

(U//FOUO) B LAC KP EAR L

=' (S//Sl//REL) Search ‘All traffic’ and include
subchannels and tunnels if no results found
under limited search

=' (S//Sl//REL) lf link is identified as MPLS then
look at the other lPs in inner labels, if present

=' (S//S|//REL) Use BLACKPEARL for finding
access and gathering information on your
network
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(S//S|//REL) Search for Inner

Tu n neled IPs
=' (S//S|//REL) Query BLACKPEARL with an endpoint

IP

=’ Find other tunneled IPs — inner network IPs that
you can do follow on searches

=' (S//S|//REL) Query DISCOROUTE with any new IPs
found

=' (TS//S|//REL) Success: Discovered information on
Somalia’s Hormuud network
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(TS//S|//REL) Example: Hormuud

Network

=' (S//S|//REL) Began with loopback IPs from a
spreadsheet

=—
=' (S//S|//REL) Found configs for 2 of the 12
loopbacks in a text query in DISCOROUTE

='— and — were in the payload

but not parsed

=' (S//S|//REL) Took the IPs from those configs
and found other configs, one with hostname
‘LNS’

 

 

W;

I, (U) Example
CQ/EIELﬂpBgAQKPEARL hit on LNS IP

=’ Inner IPs in L2TP tunnels

=’ DR search for inner IPs from the L2TP tunnels
and found more configs

=' (U//FOUO) Many of the configs were multi-hop

=' (S//S|//REL) Information compiled for TAO
=' ~4OO IPs for over 50 devices

 

 

[Mil/REL) BLACKPEARL Search:

 

 

 

L2TP tunne ' e es — ' ' s ——
Number of |l=ive Tuple: C I I élﬁamee  SS

# Source Address Dest Address Source Port Dest Port Next Protocol "/6 Packets # Pacl

1 — =i _ gin 22 4527 TCP (6) 100.0 43
= ‘—

L2TP tunnel =1  and Destination Address 2 —
Number of Five Tuples: 6 8 a

# Source Address Dest Address Source Port Dest Port Next Protocol Ufa Packets # Pacl

 3101 53771 TCP (6) 67.2 33
_ 6006 53770 TCP (6) 3.6
_ II 6000 53050 TCI" (6) 6.0
6006 53733 TCP (6) 6.3
_ 6000 53773 TCP (6) 5.2
6000 53732 TCP (6) 5.2

L2TP tunnel Source Address 2 —and Destination Address 2 —

Number of Five Tuples: 2 24 total packets
7-7 Source Address Dest Address Source Port Dest Port Next Protocol "/6 Packets 7-7 Pacl
23 3073 TCP (6) 33.3 20

1
2 - - 23 3080 W cm 16-7 4
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(U//FOUO) TOYGRI PPE

(S//S|//REL) VPN Metadata Repository

 

(S//Sl//REL)Building VPN Network

Knowledge

=' (S//Sl//REL)VPNs are part of a larger network

=' (S//Sl//REL)lnner or tunneled lPs are a peek
inside the target’s network

=' (S//Sl//REL)Beneficial to look beyond the
endpoints of your VPN

=' (S//Sl//REL)Combine information from as many
SIGDEV databases as you can
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(U/FOUO) TOYG RI PPE
S(€/§Jma$ch 3 months at a time

=' (U//FOUO) Keep going back in time if no results
found

=' (S//S|//REL) Take endpoint IPs found here and
search in
=’ DISCOROUTE -- device information
=’ BLACKPEARL -- inner tunneled IPs

=' (S//S|//REL) Country report
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(U//FOUO) TOYG RI PPE
 note of other connections to the

IP of interest and search for them separately

=' (S//Sl//REL) You might not find what you are looking
for, but it still may be important

=' (S//Sl//REL) Convert the target domain name to
hex and search for it in the idData field

=' badguy.com z. 6261646775792e636f6d
=' (idData LIKE ‘%6261646775792e636f6d’)
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(U//FOUO) End pOInt IP

S(%ﬁ5r/$.RH)Query each IP in TOYGRIPPE

separately

=’ Try to determine the importance of the
connecﬂons

=’ Note other VPN connections: a|| IPs are
important until proven otherwise

=' (TS//S|//REL)Success: Discovered Iranian
corporate intranet
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II.

(S//S|//REL) Building a VPN
Intranet:
Izm§gﬁrching back thﬁugh

alaysia

' Wm RV
Istanbul & < >) & (< > & Armenia

 

 

/ Tehr\
Ankara & 1’ A

All branches of the same company. & South Korea
Hub was in Tehran.

 

 

fM;/REL) Finding Suspicious VPN
Connchons

m Q 1%
 an  a > &

Armenia
/ A Tem\
Ankara & b ‘ A
South Korea

Izmir Malaysia

 

 

 

 

(TS//S|//REL)Two connections outside the target company
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(S//S|//REL) Discovery of a Data

Center

 

/ /
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And was looking for VPN connections to

Ihad IPA, an IP B, whi3h|did notfnd...

endpoint IP from a
router config . ..

 

 

/

 

 

....bu1 in the proc ss of

looking, I found PN

connections to I C in
TOYC‘RIPPE.... r
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(S//Sl//REL) Discovery of a Data

Cente

...and when It
search in TOY

 

 

< >
_i—l _i—l
lid 6 fOHOW 0“ ...I only found it only established
ORIPPE for 'P C---- VPN connections to IP A
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Later discovered that IP

W nged to a data center in
anot I! ntry
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(S//S|//REL) Search for other

end of the point-to-point

=' (S//S|//REL) Whacmy‘qmﬁgatiLOIm/e VPN endpoints
from a GNOME report or a TOYGRIPPE search

=' (S//S|//REL) Search for that IP in the DISCOROUTE
VPN report GUI — you don’t find it

=' (S//S|//REL) Try to search for the other end of what
would be a point-to-point connection in DISCOROUTE
to find the customer edge router

=' (S//S|//REL) END GOAL: find more information about
the network

 

(S//S|//REL) Customer Edge
Routers
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(U//FOUO) N KB a “d
 NSA’s Network Knowledge Base

delivering target communications’ DNI and
enrichment data

(S//S|//REL) RONIN is a device characterization
database and one of the enrichments to NKB
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(U//FOUO) N KB

=' (S//S|//REL) RONIN data

=’ Server Analytics: VPN identified through

application layer information in ASDF
=' Wiki: VPN Metadata in ASDF

=’ VPN Analytics: endpoint in TOYGRIPPE

=’ Router Config: new descriptive information
coming soon to include tunnel & VPN
information for lPs

=’ Example: Kenya VPN IP—

 

 

 

 

 

De

I5 saw-mu Ian-r Interface
WHITE-1 'FascEthe-meta" 0:1 the 05:
Hardware la 51: .. .. .
m , _ 5.: - mama-I rem . wﬂJ-‘u neu-nask arlﬁ emu-mean
I“ Hch'RﬂUT ER ﬁemut'lﬂ EF- duscrlptlnn ' --- 'ID DEL prov-d ur“ .
ll CD UTE;I
I': 'GIFI'WIWIJ h'f' Intarfann-
Hardware fa 5t count-E 'FascEtrerne14" cm trua- Cnsch-GLQE".
m , _ 5cm I'I'ﬂll'E-l "(Er-'0'. w:LH-1etmasL am: 3311-0115 12‘
lr'I".-EI1atEI.RﬂUTE'-‘: E'TJﬁErr'I-ELIF' ﬂu dﬂhnlpnnn - 1-D EIEL pruwd Hr..-
serum??? Iqturfann
count-l . ' on a- CI;.:::: rn-urp-r ham-a:
mu 'ﬁnﬂdﬁfgnﬂurm unL-"nwnnﬂ- scuﬁr aiﬁr iinI-i :ar  mm harms-5|: eon-0:4;
Iﬁ- and damp-um "--- To DEL wanna-I".
I: :e'wlmd |:I'.-' Interfaue
Hardwam muntI-J MEL... nun" :n th_-a- III'E‘ZD rum-hr
mm: I,” "we WUTER unkr'nwmlp snur -R r ruf- .rno-:.Ie| "FETIII". With HEW-35H emu-0:143
' ' In -W and daicnmm "—- To DEL urn under"
3 t-Dul'l‘t- I
Sew-ca _ _ w en m a SEEM? route w-th a _ _ -
m I'Irm‘acEﬂGUI—ER :EUTE'MUTW :13er “mar can“ mun-router ‘B'DJDEIIIY 2011 SE": '2;
I+1..2I:Iﬁ-.52.:3'?.I'I?E‘ we: I'ULI‘H: {5- !he EF' FurzrﬁE'I-I'Ecle n
Hardwam Fm mqu ._-..-..=..............-. a... .. .—.-..,. ........... ........... .. mm
m um Hate-:FEGLITEFE ethem-am-p :53” 'R“ r E "f' WHITE-5':
T|:n:|rIE1rl 5nurc-E-9EF'1-J'Ei ﬁﬁ'ﬂ'lﬂ
Il'IIILuIr'I'E'SCI .-
m f‘r‘fgﬁfmﬂmﬂ 'u-pn:l-':E-r1 :curt: --;Ewe -F'"'"
' Epﬁﬁ
count! 1'35
m Sam“ WH.CI5-:p EST—135'” Ar“: I I .
“WHERE” :a-H WW- W”: D i':
- IF' -
Dara _

  

\lif‘Q ng'I-ailc

“WU NKB Search for

 

 

 

 

 

 

 

 

 

 

 

 

I" "Emu-Ir I! new; a .n.

[Nerf-ace- ROUTEE II) “"“"‘-""" " U
Sen-“Ice _ I:I=I
rntanA:9:P:CILITE$-t II) “3' “CUTE-“WEN BF .3.
Hanan-are _

'1 Interface: RULJTEQ. m Fa“ 'ﬂhemul-lp 2;]
513mm _
rnt-prfaca: EFﬂ'u'EF! .33 VW- TEFL-'1
SEN-CE 
Interface: EEK-JEFF. [E W“ ‘35:“: m I'll. - 
Hardware J
Imerrace- POWER :1. Fa“ EIHEMEI-[p
Hard-Ivar:
[Nerf-ace- ROUTE? m “MHUHn 1p  {IE-EU
Hard-rare _ __-
rntmracp: lac-LITE: II) '-""""“=”""'- -F

   
 
 
   
 
    

III‘I I1I'I1IIII'I r

'hrJ'IHII I -r_|'|'J ru I I I'

lrur

l-‘rIIpI-r'l I r1.

 

   
   
  

 

 
 
 
 
  

 

 

 

 

 

 

 

 
  
 
  
  
   
 
 
 

 

 

 

 

 

 

 

     

I .u I '1-r I'll

 
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

g
..-"

(U//FOU0) G N ETWO RK
 to extract and correlate

information from a variety of NAC, $56, $50, NTOC
and other metadata databases
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(S//Sl//REL) Keep an Eye on the Entire

Netblock

=’ (S//Sl//REL) Multiple VPNs for one
target

=’ different purposes
=' different clients

 


(S//S|//REL) GNOME Task: Private

IP VPNS

=' (S//Sl//REL) Find a public lP associated with
your private IP

=’LoopbacklP
=’ Another interface IP

=' (S//S|//REL) Use those for your GNOME report
and look for your private IP on the same link

=' (S//S|//REL) Data presented in the VPN tab in
GNOME report is limited
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(U//FOUO) Network
Patterns...
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(S//Sl//REL) lP Patterns

=' (S//Sl//REL) Admins are people -- lean towards
predictability in assignment of lPs to make
theirjob easier

=' (S//Sl//REL) IP or a combination of the octets
could be an indication of:
=’ network provider
=' location

=' specific purpose in the network
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WREL) Example #1:Private IP VPN

=' (S//S|//REL) Clienltlsei \eNcgltKe

- Second octet indicated the network provider

=' 20 = network provider #1

=' 21 = network provider #2
- Second and third octet = country

=' 20.30 and 21.30 were the same country but different providers
- 40 = individual target entity in that country

=' (S//S|//REL) Server side of the VPN: —

- Second octet indicated network provider

=' 51: network provider #1
=' 52 = network provider #2
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(S//S|//REL) Example #2 : Network

Patterns
(S//S|//REL) Public lP VPN: —.#

='Third octet = country location of this IP (three
possible)

=' Fourth octet: country location of the other side
of the VPN connection

AnalyZed
andidEnt
octet Val ““““““ ll
Public
know the '
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(U//FOUO) Final Thoughts...

=' (S//S|//REL) Just because you don’t get results doesn’t
mean the answer isn’t there

=' If you’re looking for a connection from A to B and don’t
find it, then maybe you need to look for one from A to C

to B
=' (S//S|//REL) Try the query a different way

=' Widen the search either by wildcarding (if permitted) or
by selecting a different drop-down option

=' Enter information in a different field
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(U//Fou0)Final Thoughts...

=' (S//Sl//REL) All lPs are important until proven otherwise
='They all serve a purpose and belong to a device

=' Make note of what you find even if you don’t know at the
time what it means

=' (S//Sl//REL) Search for data even if results are unlikely
=' (S//Sl//REL) Don’t necessarily discard dated information

 

 

fmoﬁum Final Thoughts...

=4 (U//FOUO) Understand the data that you are searching and
what the fields in the GUI are searching for

=' (U//FOUO) Take an iterative approach: start searches wide,
then narrow them down, then widen back out again

=4 (S//Sl//REL) Bounce between the different databases and use
the tools for every aspect of your network analysis
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[Hum/REL) VPN SIGDEV:

Build the network knowledge...

=' (TS/lSl/lREL) Dig beyond paired collection,
PSKs and persistence

=' (S//Sl//REL) Discovery of the inner lPs of the
VPN is possible in ways other than decryption

=' (S//Sl//REL) Investigate device lPs
=' (U//FOUO) Look for patterns
=' (S//Sl//REL) Discover the ‘N’ of your VPN
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(U//FOUO) Questions?

 

—
88621 Net Pursuit

Network Analysis Center

 

—
W”

(SI/SIIIRE L)
Simplifying and
Automating VPN

Network Analysis Center
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(U//FOUO)The Ultimate Goals

=' (S//Sl//REL) Integrate VPN information into
mainstream analytic tools and knowledge bases.

=' (S//Sl//REL) Give analysts the ability to discover,
develop, and track known targets using VPNs.

=' (S//Sl//REL) Give analysts the ability to discover new
targets using VPNs.

 

g
..-"

(W/FouoiThe Start . . .

=(S/lSI/IREL) Develop new corporate VPN tool
(DARKSUNRISE).

=4 Joint collaboration between CES and the NAC.
=4 Take advantage of cloud architecture.

=4 Strive to meet the needs of the entire VPN
community.
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(U//FOUO) TO Th e C I O U C“

° (S//Sl//REL) Data stored in MDR-Z, the
corporate metadata repository.
=' Stores one year of DNI metadata.

=’ Enables filtering, aggregating, and transforming
large datasets quickly.

=' Manage high data volumes.
=’ Answer VPN questions efficiently and easily.
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(S//Sl//REL) What are Some Of the

Needs of the VPN SIGDEV
Community?

=' (S//Sl//REL) Allow SIGDEVers to spend time analyzing data
instead of gathering and processing the data first.

=' (S//Sl//REL) Make VPN SIGDEV more widely understood by
simplifying and automating the SIGDEV process.

=' (S//Sl//REL) Robust Structure

=' Allow for multiple VPN and network encryption
='piﬁdtowoﬂer incorporation of new analytics.
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(WSW/REL) What are Some of the
Questions?

=' (S/lSI/IREL) Basic Questions
=' Is my target using a VPN?

=' What are all of the VPNs from country
BadGuyLand?

=' Tell me all of the VPNs where domain = sita*.

=' Tell me all of the VPNs where the vendor ID =
Cisco.
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MSW/REL) What are Some of the
=' (S//S|//REL) Specialiﬂltg®3toirg [15?

=' What are all of the VPNs that are bi-directional?
=' What are all of the VPNs that are paired?

=' Tell me all of the VPNs (and how many) that a particular
VPN talks to (persistent hubs/centrality).

=' What are all of the VPNs that are of interest (via Target
Network Service)?

=' What VPNs are associated to a router config?
=' What are all of the VPNs that are persistent?
=' For which VPNs do we have a PSK?
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MSW/REL) What are Some of the
=' (S/lSI/IREL) SyntlQiikGhStriﬁlmﬁﬁon

=' What are all of the VPNs that are bi-directional,
persistent, and of interest?

=' What are all of the VPNs that are paired,
persistent, and for which we have a PSK?

=' What are all of the VPNs from country
BadGuyLand that are paired, associated to a
router config, and of interest?

 

(U//FOUO) DARKS U N RI 5 E

 

 

= U/FOUO) This is a prototype GUI.  

: (U//FOUO) Comingg Fall 2012
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' (S//S|//REL) Find all VPNS that talk to a

base VPN.
=' Discover persistent hubs.
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=' Can continue chaining outwards.
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(U//Fou0) The Metrics Tab

' (S//S|//REL) Count distinct VPN
records, grouping them by one or
more of the following attributes:

=' SIGAD

 =' Source

93‘ i =' VPN Type

 =’ Case Notation

 =' Date
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' (TS//S|//REL) Total number of VPN type per SIGAD.
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(U//FOUO)The Ultimate Goals

=' (S//Sl//REL) Integrate VPN information into
mainstream analytic tools and knowledge bases.

=' (S//Sl//REL) Give analysts the ability to discover,
develop, and track known targets using VPNs.

=' (S//Sl//REL) Give analysts the ability to discover new
targets using VPNs.

 

(U//I=ou0) Questions?

 

88622
Network Analysis Center

 

